Federated Identity Management Checklist

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Federated Identity Management Checklist"

Transcription

1 Federated Identity Management Checklist This document lists the minimum (marked with an *) and recommended policy, process, and technical steps required to implement Federated Identity Management and operate within the InCommon Federation. You may use the checklist to assess your organization s readiness for implementation and to serve as a checklist for those tasks that remain to be completed. Most sections of the checklist have three parts: policy steps, business practice steps, and technical steps. Each batch of steps is sequential. This document was developed by: Steven Carmody, Brown University Jacob Farmer, Indiana University Eric Jansson, NITLE Bob Johnson, Rhodes College John O Keefe, Lafayette College Ann West, InCommon/Internet2 Identity Provider: Identity Management Preparation Policy Steps * Review InCommon Participant Operating Practices (POP) document to familiarize yourself with the policies your organization will need in joining a federation The POP is a document produced by an Identity Provider to help other InCommon members understand their business practices as they relate to Identity Management (IdM). The practices detailed in the POP will serve as a guide as other organizations decide if they are willing to federate with you. Because all InCommon members must maintain online versions of their operating practices, so it is easy to find samples that can help your organization (such as these: Reviewing these sites first will help familiarize you with the policies you will need to address and demonstrate later. Ensure basic identity management policies are in place, including data stewardship and acceptable use policies Outside service providers to whom you provide identity information may have questions about your institution s acceptable user and data stewardship policies and how these compare with their requirements. If you plan to provide federated services to the InCommon community, these questions are especially important as they will let others from outside your network understand policies that relate to their use of your organization resources. * Define policies related to single sign-on (SSO) and authentication SSO is a method that allows a user to perform authentication once and then use it for access to a variety of resources and applications for some period of time. This 5

2 reduces the number of identifiers and passwords a user must remember and reduce the number of times he or she needs to log into and out of systems. This convenience requires some security tradeoffs. These policies are of interest to your service providers in the federation, but they also give good information for informing your users of identity risks and best practices. To address these policies, your organization will need to answer questions such as How long is a sign-on valid (1 hour? Until a web browser is closed?)? These policies are documented in the POP. * Define and publish account creation and termination policies What defines a user for your organization? is a question of key interest to service providers. Organizations to which your institution provides identity information are likely to want to know the steps your institution uses to establish and create user identity (e.g. What identification does your organization require? How accounts are removed when a student graduates or leaves, is the student s account removed immediately? In 1 month?). Service providers may ask for information about account creation, termination or provision in order to ensure your organization s compliance with licensing, published or federation policies, etc. It is a best practice to be explicit about what verification your institution is able to do. These policies are documented in the POP. Define policies on log retention for identity management and provision In relation to the previous policy areas, especially account creation and termination and identity management, service providers may request information related to your logs. Your organization may need to develop policies related to the retention of logs and their use. Practitioners in the IdM space need to be particularly aware of the privacy implications of their log management policies. * Join InCommon See for more information. Business Practice Steps * Provision/de-provision accounts for your users (faculty, staff, and students) based on published policies Before you provide identity to outside providers, your organization needs to ensure compliance with its published policies. For example, have accounts been terminated which are supposed to have been terminated? Since federated identity is heavily reliant on shared policy statements, it is crucial to ensure that your organization is acting in the expected manner. Create problem resolution process for when users forget or lose passwords As with the authentication problems, your organization likely has such processes, and these should be checked against any policies set above. Pay special attention to users who may need password reset performed when they are in a remote location. Create Help Desk support procedures for authentication problems and password changes Your organization probably already has such procedures, but it is best to check these again against the policies in the above steps. Again, special attention is needed for the remote user scenario. * Create a process to address reports of abuse Incident response becomes somewhat more challenging in the federated scenario, because two organizations have to cooperate to collect the necessary forensic 6

3 information. It is important that these procedures be in place before an incident occurs. * Post your InCommon Participant Operating Practice (POP). For more information, see the identity provider portion of Remember that the POP is a living document. It needs to be updated as organizational procedures change. Technical Steps * Install/operate/manage the identity provider package of a SAML federating software system such as Shibboleth If you intend to use Shibboleth, the see https://spaces.internet2.edu/display/shib2/installation for detailed installation, configuration and operation instructions. Identity Provider: Identity Attribute Provisioning Policy Steps Many organization/data stakeholders will need to understand federating and it s impact on the institution, the service portfolio, related issues, and risks. Governance is typically required for ensuring proper data use and federated access is no exception. For example, if a new service provider emerges asking for certain information on service consumers, how can those who want to take advantage of this service determine if this release of information is within organization policies? * Identify who governs the decision to release attributes Organizations need to have a way to decide which attributes are released to service providers and for what purposes. For instance, is this person a student? In what year of studies is this student? This function often oversees compliance issues for government and other policies. Develop policy governing use of your attributes by service providers such as attribute retention, sharing, etc. Organizations should proactively develop and publish policies for service providers on what they will do with identity attribute information once provided. In addition, many schools have developed standard contract language for this to ensure policy adherence. Consider setting up tiers or groups of attribute release policies for different categories of service providers Identifying groups of service providers (library content providers, for instance) and related attribute release constraints can help streamline the governance process for approval. Business Practice Steps * Identify who is responsible for editing/implementing the attribute release policies This process should reflect the policies above, and in particular specify how they are carried out. Institutional policies on separation of concerns and audit should be considered when this determination is made. 7

4 Define process a service provider would use to request attributes and the process used to respond to the request This will happen with new providers and can also happen with new services from existing providers. Who should the provider contact? Who reviews these requests? This process generally implements the policies above. Define process to follow when a service provider requests an attribute that is not currently available as defined by the policy above This process should implement the policies in the Policy Steps section above. * Define problem escalation procedure if identity information is released in conflict with organization policies For example, if the wrong attributes are sent to a service provider, when does your organization notify users? Does your institution make a request to the service provider of some kind? Technical Steps * Extend directory and/or person registry schemas if needed to support eduperson A federation, such as InCommon, require a common data schema to facilitate the passing of identity-related information (attributes) from identity to service providers for access. InCommon requires the support of eduperson data schema. For this step, familiarize yourself with the eduperson data schema at You can choose to support these attributes by storing them in your directory or database. If using Shibboleth, the software can also look up a local attribute in your directory and send it as an eduperson attribute, if you configure it that way. Each attribute in eduperson does not have to be populated. The ones that are most commonly used at this point are edupersonscopedaffiliation, edupersonaffiliation, and edupersonprincipalname. While these are the most common solutions, there are a number of ways to meet this requirement. Ultimately, it matters that you are able to pass data in the appropriately-named attributes. * Configure the identity provider attribute resolver for the appropriate sources Ensure that your organization s identity provider software is providing attributes according to the policies defined above and as needed by the service providers. The attribute resolver in Shibboleth, for example, gets the attributes from your data source (such as a directory or database), performs operations that you specify to ensure that the attribute conforms to your policies and the federation technical and data schema specifications. * Configure the identity provider to release the right attribute(s) to your service providers Newly defined attributes are not released to service providers until you define an attribute filter policy for it. Such policies describe which service providers, under which conditions, receive which attributes. See the Shibboleth 2 documentation wiki on this topic at https://spaces.internet2.edu/display/shib2/idpaddattributefilter for more information. 8

5 Service Provider Preparation Policy Steps * Review InCommon Participant Operating Practices (POP) document to familiarize yourself with the policies your organization will need in joining a federation All InCommon members must maintain online versions of their operating practices. See for more information. * Determine which services you would like to offer to the InCommon Community Who will be accessing your service for what purpose? Determine audience and risk for each offered service and related requirements How will you decide whether they are eligible or not to use the service? What kind of assurance of the user s identity will you require from the accessing organizations? Develop policy governing the use of attributes received by SPs such as attribute retention, sharing, etc. Will you keep the identity attribute information that identity providers send to you and if so, for how long? Ensure your policies are in compliance with the federation requirements Check the InCommon site to ensure your policies are in compliance with the current federation requirements. Business Practice Steps Identify who is responsible for managing the federated access to your service(s) * Identify what attributes you will require from partnering identity providers for access to your service. Determine which services are eligible to receive which attributes. It s best to go with common practice as much as possible. You can review InCommon s attribute overview at * Ensure you have a defined problem resolution process for remote users If a user has a problem accessing your service, where will they get help? * Define problem escalation and support procedure for IdP users of your service(s) If you have a break in service, how will you let your partners know? If you find one or more users abusing your service, how will you contact their home organization? * Define process IdPs would use to request services and the process used to respond to the request * Post your InCommon Participant Operating Practice (POP). For more information, see the service provider portion of 9

6 Technical Steps * Install/operate/manage SAML Service Provider Federating software such as Shibboleth * Connect services to be federated to the federating software and enable them to use the incoming attributes to control access If the application that you are federating doesn t support the federating software, you will have to do some programming work to enable it to use the sent attributes. A growing number of applications, though, support Shibboleth so check shibboleth.internet2.edu or send a note to the Shibboleth Users list to find out about integrated versions. * Add service provider information to the federation metadata * Configure service provider software to use federation metadata and credentials and refresh when required Document how your SP could authorize users given the provided attributes Document how your application could use the supplied attributes in alternative ways, such as for customization or form completion 10

InCommon Basics and Participating in InCommon

InCommon Basics and Participating in InCommon InCommon Basics and Participating in InCommon A Summary of Resources Updated October 25, 2013 Copyright 2011-2013 by Internet2, InCommon and/or the respective authors Table of Contents TABLE OF CONTENTS

More information

A Look at Ourselves: Shibboleth Deployment Self-Assessment Checklist

A Look at Ourselves: Shibboleth Deployment Self-Assessment Checklist A Look at Ourselves: Shibboleth Deployment Self-Assessment Checklist Using the checklist below, we'll look at ourselves to see how we are positioned with respect to the presented stages and use this information

More information

University of Wisconsin-Madison

University of Wisconsin-Madison Shibboleth University of Wisconsin-Madison Added by Keith Hazelton, last edited by Keith Hazelton on Jun 26, 2007 (view change) Labels: (None) Stage 1: Intra-campus Web Single Sign-on - Central Identity

More information

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity

More information

Federated Identity Management and Shibboleth: Policy and Technology for Collaboration

Federated Identity Management and Shibboleth: Policy and Technology for Collaboration Federated Identity Management and Shibboleth: Policy and Technology for Collaboration Marianne Colgrove, Deputy CTO, Reed Joel Cooper, Director of Information Technology Services, Carleton John O Keefe,

More information

Single Sign On at Colorado State. Ron Splittgerber

Single Sign On at Colorado State. Ron Splittgerber Single Sign On at Colorado State Ron Splittgerber Agenda Identity Management Authentication Authorization The Problem The Solution: Federation Trust Between Institutions Trust Between Institution and Federal

More information

Shibboleth Authentication. Information Systems & Computing Identity and Access Management May 23, 2014

Shibboleth Authentication. Information Systems & Computing Identity and Access Management May 23, 2014 Shibboleth Authentication Information Systems & Computing Identity and Access Management May 23, 2014 For every question an answer: Why should I care about SAML? What is a Shibboleth? What is a Federation?

More information

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES 1. Federation Participant Information 1.1 The InCommon Participant Operational Practices information below is for: InCommon Participant organization

More information

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity

More information

Federated Identity Management and Shibboleth. Noreen Hogan Asst. Director Enterprise Admin. Applications

Federated Identity Management and Shibboleth. Noreen Hogan Asst. Director Enterprise Admin. Applications Federated Identity Management and Shibboleth Noreen Hogan Asst. Director Enterprise Admin. Applications Federated Identity Management Management of digital identity/credentials (username/password) Access

More information

InCommon Affiliate Webinar Series

InCommon Affiliate Webinar Series InCommon Affiliate Webinar Series Aegis Identity Case Study: Just-in-Time Provisioning and IDP Proxy Management November 19, 2014 CASE STUDY IN JUST-IN-TIME PROVISIONING AND IDP PROXY MANAGEMENT Jim Faut

More information

Shibboleth User Verification Customer Implementation Guide 2015-03-13 Version 3.5

Shibboleth User Verification Customer Implementation Guide 2015-03-13 Version 3.5 Shibboleth User Verification Customer Implementation Guide 2015-03-13 Version 3.5 TABLE OF CONTENTS Introduction... 1 Purpose and Target Audience... 1 Commonly Used Terms... 1 Overview of Shibboleth User

More information

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity

More information

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in InCommon Federation ( Federation ) enables the participant to use Shibboleth identity attribute sharing technologies to manage access

More information

A Shibboleth View of Federated Identity. Steven Carmody Brown Univ./Internet2 March 6, 2007 Giornata AA - GARR

A Shibboleth View of Federated Identity. Steven Carmody Brown Univ./Internet2 March 6, 2007 Giornata AA - GARR A Shibboleth View of Federated Identity Steven Carmody Brown Univ./Internet2 March 6, 2007 Giornata AA - GARR Short Section Title Agenda Assumptions and Trends Identity Management and Shibboleth Shibboleth

More information

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD) Participant Name: Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert authoritative and

More information

Identity Management. Manager, Identity Management. Academic Technology Services. Michigan State University Board of Trustees

Identity Management. Manager, Identity Management. Academic Technology Services. Michigan State University Board of Trustees Identity Management and Shibboleth h at MSU Jim Green Manager, Identity Management Michigan State t University it Academic Technology Services Identity Management Definition: Identity management is the

More information

Logout in Single Sign-on Systems

Logout in Single Sign-on Systems Logout in Single Sign-on Systems Sanna Suoranta, Asko Tontti, Joonas Ruuskanen, Tuomas Aura IFIP IDMAN, London, UK, 8-9.4.2013 Logout in Single Sign-on Systems Motivation Single sign-on (SSO) systems SSO

More information

Best Practices for Libraries and Library Service Providers

Best Practices for Libraries and Library Service Providers Best Practices for Libraries and Library Service Providers These best practices were developed by the InCommon Library Consortium in 2009. The consortium was formed to explore various potential solutions.

More information

TRUST AND IDENTITY EXCHANGE TALK

TRUST AND IDENTITY EXCHANGE TALK TRUST AND IDENTITY EXCHANGE TALK Ken Klingenstein, Internet2 2015 Internet2 Trust and Identity Why It Matters An Identity Layer for the Internet Benefits for the Rest of the Stack What It Is Technologies

More information

Business and Process Requirements Business Requirements mapped to downstream Process Requirements. IAM UC Davis

Business and Process Requirements Business Requirements mapped to downstream Process Requirements. IAM UC Davis Business and Process Requirements Business Requirements mapped to downstream Process Requirements IAM UC Davis IAM-REQ-1 Authorization Capabilities The system shall enable authorization capabilities that

More information

Incident Response Policy

Incident Response Policy Federated 2010 Security Incident Response Policy 1819 South Neil Street, Suite D Champaign, IL 61820-7271 trishak [Type the company name] 217.333.8475 1/1/2011 www.cic.net 1819 So u th Neil Str ee t, Suit

More information

USING ESPRESSO [ESTABLISHING SUGGESTED PRACTICES REGARDING SINGLE SIGN ON] TO STREAMLINE ACCESS

USING ESPRESSO [ESTABLISHING SUGGESTED PRACTICES REGARDING SINGLE SIGN ON] TO STREAMLINE ACCESS USING ESPRESSO [ESTABLISHING SUGGESTED PRACTICES REGARDING SINGLE SIGN ON] TO STREAMLINE ACCESS Andy Ingham (UNC-Chapel Hill) NASIG Annual Conference, June 4, 2011 What I hope to cover Problem statement

More information

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD) Participant Name: RESEARCH RESEARCH LTD. 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert authoritative and accurate identity attributes to resources

More information

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD) Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert authoritative and accurate identity attributes to resources being accessed, and that Participants

More information

Integrating Multi-Factor Authentication into Your Campus Identity Management System

Integrating Multi-Factor Authentication into Your Campus Identity Management System Integrating Multi-Factor Authentication into Your Campus Identity Management System Mike Grady, Unicon David Walker, Internet2 (both associated with the Internet2 Scalable Privacy Project) Agenda Multi-Context

More information

Getting Started with Single Sign-On

Getting Started with Single Sign-On Getting Started with Single Sign-On I. Introduction Your institution is considering or has already purchased Collaboratory from Treetop Commons, LLC. One benefit provided to member institutions is Single

More information

New InCommon Working Groups

New InCommon Working Groups New InCommon Working Groups IAM Online August 13, 2014 Steve Carmody, Brown University Paul Caskey, University of Texas System Janemarie Duh, Lafayette College Keith Hazelton, University of Wisconsin Madison

More information

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD) Participant Name: University of Lethbridge 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert authoritative and accurate identity attributes to resources

More information

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD) Canadian Access Federation: Trust Assertion Document (TAD) Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert authoritative and accurate identity attributes

More information

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD) Participant Name: Royal Roads University_ Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they

More information

Intro to Federated Identity

Intro to Federated Identity Intro to Federated Identity EuroCAMP Training This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License. 1 Lets get a federated identity Do you have access to your email?

More information

Shibboleth N-Tier Support. Chad La Joie chad.lajoie@switch.ch

Shibboleth N-Tier Support. Chad La Joie chad.lajoie@switch.ch Shibboleth N-Tier Support Chad La Joie chad.lajoie@switch.ch Agenda Use Case Terminology Shibboleth Solution Future Effort Resources 2 Use Case Current use case comes from University of Chicago University

More information

ESA EO Identify Management

ESA EO Identify Management ESA EO Identify Management The ESA EO IM Infrastructure & Services A. Baldi ESA: Andrea.Baldi@esa.int M. Leonardi ESA: m.leonardi@rheagroup.com 1 Issues @ ESA with legacy user management Users had multiple

More information

The Research Council

The Research Council Oman Knowledge Identification Federation System Policies The Research Council Sultanate of Oman 2012 The Research Council 2012 Page 1 Introduction Academic and Research organizations have unique identity

More information

Identity Management Issues for Multi-Campus Institutions - University of California -

Identity Management Issues for Multi-Campus Institutions - University of California - Identity Management Issues for Multi-Campus Institutions - University of California - David Walker Jacqueline Craig Office of the President University of California Copyright Regents of the University

More information

Getting Started with Single Sign-On

Getting Started with Single Sign-On Getting Started with Single Sign-On I. Introduction NobleHour sets out to incentivize civic engagement by enabling users within companies, educational institutions, and organizations to conduct and coordinate

More information

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD) Participant Name: University of Victoria Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert

More information

Federated Identity: Leveraging Shibboleth to Access On and Off Campus Resources

Federated Identity: Leveraging Shibboleth to Access On and Off Campus Resources Federated Identity: Leveraging Shibboleth to Access On and Off Campus Resources Paul Riddle University of Maryland Baltimore County EDUCAUSE Mid-Atlantic Regional Conference January 16, 2008 Copyright

More information

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD) Participant Name: McGill University Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert

More information

Identity and Access Management (IAM) Roadmap DRAFT v2. North Carolina State University

Identity and Access Management (IAM) Roadmap DRAFT v2. North Carolina State University Identity and Access Management (IAM) Roadmap DRAFT v2 North Carolina State University April, 2010 Table of Contents Executive Summary... 3 IAM Dependencies... 4 Scope of the Roadmap... 4 Benefits... 4

More information

IDENTITY MANAGEMENT AUDIT REPORT

IDENTITY MANAGEMENT AUDIT REPORT IDENTITY MANAGEMENT AUDIT REPORT PUBLIC VERSION 6 SEPTEMBER 2011... T +44 (0)1206 873950 E djhall@data-archive.ac.uk W www.data-archive.ac.uk... UK DATA ARCHIVE UNIVERSITY OF ESSEX WIVENHOE PARK COLCHESTER

More information

Configuring SAML2 for Single Sign On to Smartsheet (Enterprise Only)

Configuring SAML2 for Single Sign On to Smartsheet (Enterprise Only) Configuring SAML2 for Single Sign On to Smartsheet (Enterprise Only) This document is intended for technical professionals who are familiar with SAML and have access to the Identity Provider that will

More information

Alex Wong Senior Manager - Product Management Bruce Ong Director - Product Management

Alex Wong Senior Manager - Product Management Bruce Ong Director - Product Management Alex Wong Senior Manager - Product Management Bruce Ong Director - Product Management 1 Product Roadmap Disclaimer Any forward-looking indication of plans for products is preliminary and all future release

More information

Shibboleth and Library Resources

Shibboleth and Library Resources Shibboleth and Library Resources InCommon Library/Shibboleth Project What is the Library/Shibboleth Project? Established 2007 Five universities + Internet2 Campus IT, Library IT, Librarians Adding Shibboleth

More information

Operating Level Agreement for NYU Login Service

Operating Level Agreement for NYU Login Service Operating Level Agreement for NYU Login Service This Operating Level Agreement (OLA) documents the agreement regarding support of Single Sign-On (SSO) services for a Partner Service, which has been integrated

More information

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD) Participant Name: Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert authoritative and

More information

HP Software as a Service. Federated SSO Guide

HP Software as a Service. Federated SSO Guide HP Software as a Service Federated SSO Guide Document Release Date: July 2014 Legal Notices Warranty The only warranties for HP products and services are set forth in the express warranty statements accompanying

More information

Cybersecurity and Secure Authentication with SAP Single Sign-On

Cybersecurity and Secure Authentication with SAP Single Sign-On Solution in Detail SAP NetWeaver SAP Single Sign-On Cybersecurity and Secure Authentication with SAP Single Sign-On Table of Contents 3 Quick Facts 4 Remember One Password Only 6 Log In Once to Handle

More information

InCommon Partnership Models and Trust Fabrics. Mark Johnson Mark Scheible Ann West John Krienke David Walker

InCommon Partnership Models and Trust Fabrics. Mark Johnson Mark Scheible Ann West John Krienke David Walker InCommon Partnership Models and Trust Fabrics Mark Johnson Mark Scheible Ann West John Krienke David Walker Overview and Motivation Accelerate development of a business model that supports CAIs MCNC offered

More information

ShibboLEAP Project. Final Report: School of Oriental and African Studies (SOAS) Colin Rennie

ShibboLEAP Project. Final Report: School of Oriental and African Studies (SOAS) Colin Rennie ShibboLEAP Project Final Report: School of Oriental and African Studies (SOAS) Colin Rennie May 2006 Shibboleth Implementation at SOAS Table of Contents Introduction What this document contains Who writes

More information

Guide to Getting Started with the CommIT Pilot

Guide to Getting Started with the CommIT Pilot Guide to Getting Started with the CommIT Pilot Fall 2013 2 Table of Contents What is the CommIT Pilot?... 3 What is the scope for the Pilot?... 3 What is the timeframe for the Pilot?... 5 What are the

More information

ArcGIS Server and Portal for ArcGIS An Introduction to Security

ArcGIS Server and Portal for ArcGIS An Introduction to Security FedGIS Conference February 24 25, 2016 Washington, DC ArcGIS Server and Portal for ArcGIS An Introduction to Security Michael Sarhan & Bill Major Using Portal with ArcGIS Server Portal Server Portal and

More information

SAML-Based SSO Solution

SAML-Based SSO Solution About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,

More information

E-LibUkr portal: Case study of Shibboleth and EZProxy in Ukraine.

E-LibUkr portal: Case study of Shibboleth and EZProxy in Ukraine. E-LibUkr portal: Case study of Shibboleth and EZProxy in Ukraine. Yaroshenko Tetiana, yaroshenko[@]ukma.kiev.ua Introduction The Kyiv Mohyla Foundation of America and the National University of Kyiv Mohyla

More information

P U R D U E U N I V E R S I T Y

P U R D U E U N I V E R S I T Y P U R D U E U N I V E R S I T Y IAMO Shibboleth Attribute Release Memorandum of Understanding Between the designated Purdue University administrative or educational group, called the Client, and the Department

More information

Federation At Fermilab. Al Lilianstrom National Laboratories Information Technology Summit May 2015

Federation At Fermilab. Al Lilianstrom National Laboratories Information Technology Summit May 2015 Federation At Fermilab Al Lilianstrom National Laboratories Information Technology Summit May 2015 About Fermilab Since 1967, Fermilab has worked to answer fundamental questions and enhance our understanding

More information

SAML Authentication Quick Start Guide

SAML Authentication Quick Start Guide SAML Authentication Quick Start Guide Powerful Authentication Management for Service Providers and Enterprises Authentication Service Delivery Made EASY Copyright 2013 SafeNet, Inc. All rights reserved.

More information

Issues in federated identity management

Issues in federated identity management Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh 1 Contents Federated identity management overview Open issues for federations 2 Introduction Federated identity

More information

Provisioning and Deprovisioning 1 Provisioning/De-provisiong replacement 1

Provisioning and Deprovisioning 1 Provisioning/De-provisiong replacement 1 Item Count Provisioning/Deprovisioning Automated Deprovisioning 1 Automated on/off boarding from an authoritative source AUTOMATED [DE-]PROVISIONING 1 Removal of resources at the appropriate time 1 Timeliness

More information

NCSU SSO. Case Study

NCSU SSO. Case Study NCSU SSO Case Study 2 2 NCSU Project Requirements and Goals NCSU Operating Environment Provide support for a number Apps and Programs Different vendors have their authentication databases End users must

More information

The State of Identity Management Self-assessment Questionnaire

The State of Identity Management Self-assessment Questionnaire Identity and the Cloud: Preparing Your Campus EDUCAUSE 2010 Pre-Conference Seminar The State of Identity Management Self-assessment Questionnaire Each entry below describes an aspect of identity management

More information

CommIT: Simplifying Admissions Identity Management

CommIT: Simplifying Admissions Identity Management CommIT: Simplifying Admissions Identity Management IAM Online August 14, 2013 Speaker: Charlie Leonhardt, Georgetown University Moderator: Rodney Petersen, Senior Government Relations Officer and Managing

More information

McAfee Cloud Single Sign On

McAfee Cloud Single Sign On Setup Guide Revision B McAfee Cloud Single Sign On COPYRIGHT Copyright 2013 McAfee, Inc. Do not copy without permission. TRADEMARK ATTRIBUTIONS McAfee, the McAfee logo, McAfee Active Protection, McAfee

More information

Evaluation of different Open Source Identity management Systems

Evaluation of different Open Source Identity management Systems Evaluation of different Open Source Identity management Systems Ghasan Bhatti, Syed Yasir Imtiaz Linkoping s universitetet, Sweden [ghabh683, syeim642]@student.liu.se 1. Abstract Identity management systems

More information

Federation Operator Procedures

Federation Operator Procedures UK Access Management Federation for Education and Research Federation Operator Procedures 1 st August 2011 Version 2.1 ST/AAI/UKF/DOC/005 Contents 1 Introduction 3 2 Membership application processing 3

More information

SD Departmental Meeting November 28 th, 2006. Ale de Vries Product Manager ScienceDirect Elsevier

SD Departmental Meeting November 28 th, 2006. Ale de Vries Product Manager ScienceDirect Elsevier ש בולת SD Departmental Meeting November 28 th, 2006 Ale de Vries Product Manager ScienceDirect Elsevier Shi... whát? : Shibboleth ש בולת [...] "stream, torrent". It derives from a story in the Hebrew Bible,

More information

Introduction to Identity and Access Management for the engineers. Radovan Semančík April 2014

Introduction to Identity and Access Management for the engineers. Radovan Semančík April 2014 Introduction to Identity and Access Management for the engineers Radovan Semančík April 2014 How it works now? Manager Admin Login Users Login Admin Login Login Login Theory Manager Admin Forgot password

More information

OneLogin Integration User Guide

OneLogin Integration User Guide OneLogin Integration User Guide Table of Contents OneLogin Account Setup... 2 Create Account with OneLogin... 2 Setup Application with OneLogin... 2 Setup Required in OneLogin: SSO and AD Connector...

More information

CAS s IDP system and resources in Education Cloud

CAS s IDP system and resources in Education Cloud CAS s IDP system and resources in Education Cloud DAREN ZHA CANS2015, Chengdu Outline CAS s IDP system and Education Cloud introduction Problems of interoperation A interoperation plan CAS s Education

More information

Implementing Shibboleth at a UK National Academic Data Centre

Implementing Shibboleth at a UK National Academic Data Centre Implementing Shibboleth at a UK National Academic Data Centre Ross MacIntyre MIMAS Manchester Computing, The University of Manchester, Oxford Road, Manchester, M13 9PL, UK ross.macintyre@manchester.ac.uk

More information

Masdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department jmikhael@masdar.ac.ae

Masdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department jmikhael@masdar.ac.ae Masdar Institute Single Sign-On: Standards-based Identity Federation John Mikhael ICT Department jmikhael@masdar.ac.ae Agenda The case for Single Sign-On (SSO) Types of SSO Standards-based Identity Federation

More information

ABOUT TOOLS4EVER ABOUT DELOITTE RISK SERVICES

ABOUT TOOLS4EVER ABOUT DELOITTE RISK SERVICES CONTENTS About Tools4ever... 3 About Deloitte Risk Services... 3 HelloID... 4 Microsoft Azure... 5 HelloID Security Architecture... 6 Scenarios... 8 SAML Identity Provider (IDP)... 8 Service Provider SAML

More information

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD) Participant Name:_Cengage Gale_ Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert authoritative

More information

Authentication Methods

Authentication Methods Authentication Methods Overview In addition to the OU Campus-managed authentication system, OU Campus supports LDAP, CAS, and Shibboleth authentication methods. LDAP users can be configured through the

More information

QualysGuard SAML 2.0 Single Sign-On. Technical Brief

QualysGuard SAML 2.0 Single Sign-On. Technical Brief QualysGuard SAML 2.0 Single Sign-On Technical Brief Introduction Qualys provides its customer the option to use SAML 2.0 Single Sign On (SSO) authentication with their QualysGuard subscription. When implemented,

More information

Introduction to Identity Management. Sam Lee, Outblaze Ltd.

Introduction to Identity Management. Sam Lee, Outblaze Ltd. Introduction to Identity Management Sam Lee, Outblaze Ltd. Agenda Background Identity Management Single Sign-On Federation Future s Identity management Conclusions 2 Background Why identity management?

More information

Nationwide and Regional Health Information Networks and Federated Identity for Authentication and HIPAA Compliance

Nationwide and Regional Health Information Networks and Federated Identity for Authentication and HIPAA Compliance Nationwide and Regional Health Information Networks and Federated Identity for Authentication and HIPAA Compliance Christina Stephan, MD Co-Chair Liberty Alliance ehealth SIG National Library of Medicine

More information

seamless simplicity to simple identity management in education.

seamless simplicity to simple identity management in education. seamless simplicity to simple identity management in education. we ve had a lot of feedback but sums it up nicely. the YouID family There are currently two products in the YouID portfolio, both developed

More information

Identity Assurance Assessment Framework. February 11, 2013 Version 1.2

Identity Assurance Assessment Framework. February 11, 2013 Version 1.2 Identity Assurance Assessment Framework February 11, 2013 Version 1.2 EXECUTIVE SUMMARY The degree to which a Service Provider is willing to accept an Assertion of Identity from an Identity Provider may

More information

Multi-Factor Authentication, Assurance, and the Multi-Context Broker

Multi-Factor Authentication, Assurance, and the Multi-Context Broker Multi-Factor Authentication, Assurance, and the Multi-Context Broker IAM Online April 30, 2014 Keith Wessel, University of Illinois, Urbana-Champaign David Langenberg, University of Chicago David Walker,

More information

Merit Cloud Media User Guide

Merit Cloud Media User Guide in collaboration with NJEDgeNet Table of Contents 1 Requirements... 3 1.1 Shibboleth... 3 1.2 Administration Hierarchy... 3 2 Administration Hierarchy... 3 3 Manage Videos... 4 3.1 Supported Video Formats...

More information

Copyright: WhosOnLocation Limited

Copyright: WhosOnLocation Limited How SSO Works in WhosOnLocation About Single Sign-on By default, your administrators and users are authenticated and logged in using WhosOnLocation s user authentication. You can however bypass this and

More information

Authentication and Single Sign On

Authentication and Single Sign On Contents 1. Introduction 2. Fronter Authentication 2.1 Passwords in Fronter 2.2 Secure Sockets Layer 2.3 Fronter remote authentication 3. External authentication through remote LDAP 3.1 Regular LDAP authentication

More information

State of Hawaii Excellence in Technology Award Nomination. Single Sign On (SSO) for the Hawaii State Department of Education

State of Hawaii Excellence in Technology Award Nomination. Single Sign On (SSO) for the Hawaii State Department of Education State of Hawaii Excellence in Technology Award Nomination Single Sign On (SSO) for the Hawaii State Department of Education Cross-Boundary Collaboration and Partnerships Data, Information and Knowledge

More information

Update on Identity Management Initiatives: What Are Institutions, Agencies and Federations Doing?

Update on Identity Management Initiatives: What Are Institutions, Agencies and Federations Doing? Update on Identity Management Initiatives: What Are Institutions, Agencies and Federations Doing? Ann West, Michigan Technology University Jackie Charonis, Stanford University Nancy Krogh, University of

More information

Federated Identity Management

Federated Identity Management Federated Identity Management AKA, Identity Federation or just Federation Siju Mammen SANReN 28th March 2013 Table of contents What is Federation? Main Actors in the Federation game Research and Education

More information

Alleviating Password Management Demands on Your IT Service Desk SOLUTION WHITE PAPER

Alleviating Password Management Demands on Your IT Service Desk SOLUTION WHITE PAPER Alleviating Password Management Demands on Your IT Service Desk SOLUTION WHITE PAPER Table of Contents Executive Summary...1 The Importance of Automation...2 The Role of Password Management in Modern Business...3

More information

Remote Authentication and Single Sign-on Support in Tk20

Remote Authentication and Single Sign-on Support in Tk20 Remote Authentication and Single Sign-on Support in Tk20 1 Table of content Introduction:... 3 Architecture... 3 Single Sign-on... 5 Remote Authentication... 6 Request for Information... 8 Testing Procedure...

More information

Standalone SAML Attribute Authority With Shibboleth

Standalone SAML Attribute Authority With Shibboleth CESNET Technical Report 5/2013 Standalone SAML Attribute Authority With Shibboleth IVAN NOVAKOV Received 10. 12. 2013 Abstract The article defines what a standalone attribute authority is and how it can

More information

HP Software as a Service

HP Software as a Service HP Software as a Service Software Version: 6.1 Federated SSO Document Release Date: August 2013 Legal Notices Warranty The only warranties for HP products and services are set forth in the express warranty

More information

Configuring SAML2 for Single Sign-On to Smartsheet (Enterprise Only)

Configuring SAML2 for Single Sign-On to Smartsheet (Enterprise Only) Configuring SAML2 for Single Sign-On to Smartsheet (Enterprise Only) This document is intended for technical professionals who are familiar with SAML and have access to the Identity Provider that will

More information

SAML SSO Configuration

SAML SSO Configuration SAML SSO Configuration Overview of Single Sign-, page 1 Benefits of Single Sign-, page 2 Overview of Setting Up SAML 2.0 Single Sign-, page 3 SAML 2.0 Single Sign- Differences Between Cloud-Based Meeting

More information

Single Sign On. SSO & ID Management for Web and Mobile Applications

Single Sign On. SSO & ID Management for Web and Mobile Applications Single Sign On and ID Management Single Sign On SSO & ID Management for Web and Mobile Applications Presenter: Manish Harsh Program Manager for Developer Marketing Platforms of NVIDIA (Visual Computing

More information

TrustedX: eidas Platform

TrustedX: eidas Platform TrustedX: eidas Platform Identification, authentication and electronic signature platform for Web environments. Guarantees identity via adaptive authentication and the recognition of either corporate,

More information

Attachment E. RFP Requirements: Mandatory Requirements: Vendor must respond with Yes or No. A No response will render the vendor nonresponsive.

Attachment E. RFP Requirements: Mandatory Requirements: Vendor must respond with Yes or No. A No response will render the vendor nonresponsive. Attachment E RFP Requirements: Mandatory Requirements: Vendor must respond with Yes or No. A No response will render the vendor nonresponsive. Questions Support for Information Security 1. The Supplier

More information

The Top 5 Federated Single Sign-On Scenarios

The Top 5 Federated Single Sign-On Scenarios The Top 5 Federated Single Sign-On Scenarios Table of Contents Executive Summary... 1 The Solution: Standards-Based Federation... 2 Service Provider Initiated SSO...3 Identity Provider Initiated SSO...3

More information

Logout Support on SP and Application

Logout Support on SP and Application Logout Support on SP and application Logout Support on SP and Application Possibilities and and Limitations SWITCHaai Team aai@switch.ch Single Logout: Is it possible? Single Logout will work only in some

More information

NetWrix Account Lockout Examiner Version 4.0 Administrator Guide

NetWrix Account Lockout Examiner Version 4.0 Administrator Guide NetWrix Account Lockout Examiner Version 4.0 Administrator Guide Table of Contents Concepts... 1 Product Architecture... 1 Product Settings... 2 List of Managed Domains and Domain Controllers... 2 Email

More information

Higher education has traditionally

Higher education has traditionally C U R R E N T I S S U E S Middleware: Addressing the Top IT Issues on Campus Campus middleware infrastructures are critical strategic resources for addressing cost, security, and access requirements of

More information